MAJOR vulnerability: bump httpclient for 4.5.2 to 4.5.3 #62
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerability Information
Bumps apache-httpclient from 4.5.2 to 4.5.3.
Listed dependency org.apache.httpcomponents:httpclient contains vulnerable methods which are called from this project. This vulnerability appears to affect httpclient package versions lower than 4.5.3 (excluding). The vulnerability has been fixed in version 4.5.3, as can be seen from the package release notes.
Vulnerable method calls
ViSearchHttpClientImpl.executeRequest(HttpUriRequest request)
CloseableHttpClient.execute(HttpUriRequest request)
URIBuilder.normalizePath(String path)
ViSearchHttpClientImpl.buildPostRequest(String url, Multimap<String, String> params)
RequestBuilder.build()
URIBuilder.normalizePath(String path)
URIBuilder.build()
URIBuilder.normalizePath(String path)
RequestBuilder.build()
URIBuilder.normalizePath(String path)
URIBuilder.build()
URIBuilder.normalizePath(String path)
What do the columns represent?
The 1st column in the table indicates the method in this repository that was found to be affected by vulnerable methods from the httpclient package.
The 2nd column indicates the httpclient method that was directly called from this repository.
The 3rd column indicates the origin vulnerable method in the httpclient package. According to our dataset, this is one of the methods that produces the HTTPCLIENT-1803 vulnerability. This method was found to be internally chain-called in the httpclient package by the method listed in column 2.
How were the results generated?
This vulnerability was analyzed specifically for usage in this project using the FASTEN Project. Statical method-level analysis was used to check for usage of vulnerable methods in the project.
Method calls between your project and httpclient have been mapped into a directed graph. From this graph, we
could then see whether any vulnerable httpclient methods are being called from within your project.
Research Scope
We are a team of 3 BSc Computer Science students at the TU Delft. Our goal is to conduct research on how developers react to method-level vulnerability information that affects their projects. We would highly appreciate if you could help us with our research and please tick statements which apply to you below.
First impression checklist
After fixing vulnerability checklist